In a time when invisible walls, locks and keys protect your company's data, physical security remains a challenge for businesses of every size. But physical security is information security, and its maintenance is just as important to reducing existential and financial risk to your organization.
Physical security details the multilayered security procedures taken to prevent unauthorized access to networks, data, facilities, hardware, or software.
Physical security has three important components:
Knowing where holes in physical security exist at your company is an absolute must if you want to fix the problems. And in regulated environments, it's a must because you might incur substantial fines should information be unprotected.
Ultimately, if information gets out, "It doesn't matter how it gets out," says Devi Momot, Twinstate's CEO. It can be read off your screen in the classic shoulder surf and the consequences could be the same as if your network were hacked.
Consider that a physical security audit could help you identify gaps in security you never knew existed. The main issue at hand is access: can people physically access your data or restricted spaces?
"People gaining access to areas they shouldn't be in can take devices, hard drives, servers, computers. You can pick up a USB stick and put it in your pocket," says Momot.
And it's not just devices and data getting out that presents a physical security issue. Writes David Hutter for The SANS Institute:
"Leaving a USB flash drive on the ground outside of a building is another way that an attacker could steal data without ever gaining physical access. The malicious payload on the device infects an individual computer and possibly the entire network once an employee picks up the USB stick and inserts it into his or her computer. This type of incident happened at a U.S. Department of Defense base in the Middle East in 2008. An employee working at the base inserted a compromised USB memory stick into the government’s laptop. The virus spread undetected in both unclassified and classified systems and sent data back to remote servers in other countries."
Yikes. How can a physical security audit possibly account for issues like that? Momot suggests that an audit should include checks for incoming malicious attacks. If an auditor found you had no USB stick policy in place, that would be considered a physical hole in security.
No USB stick policy? You could be putting your business at risk. Click to tweet
So aside from literal physical theft or infiltration, what other holes might a physical security audit help you discover?
"A good physical security plan is good from both a digital and human perspective," says Momot. That means it should cover the physical space in and around your building, and treat it just like access to digital information, where segmentation is vital.
"All access should be need based, not right or desire based," Momot clarifies. "That can minimize the chance of something bad happening, or allow you to contain or pinpoint a perpetrator." A physical security audit might reveal, for instance, that you have no camera surveillance of your delivery bay and can't form an audit trail of which people were there, and when. Why is that important?
"We had a situation where we saved both money and time when we were sent a faulty bill," Momot shares. "We disputed it and the company said the delivery person had our company logo on their clothes, used our account code, and said they were from our company. We asked for video. They sent it — and it was not one of our employees." Because that company had an audit trail of their delivery bay, Twinstate was protected.
Although there are a million good reasons a physical security audit is important, perhaps the most relevant to all people everywhere — regardless of data or regulations — is bodily safety.
Creating a secure building where all employees can not only feel safe, but actually be safe, is critical. Click to tweet
This is where credentials and locks come into play. What if just anyone could walk through your front door and into your office space? Not only might that person have access to computers and therefore, data, but they'll also have access to your employees. Credentials can prevent that — and so can a good lock system.
But not every lock system is what it's made out to be. Momot says she's been assured of security for locks their team has subsequently picked in two minutes. That's what the audit is for.
To ensure you're capturing everything, hire a third-party auditor. Not every contractor handles every aspect of physical security, so Momot recommends working from a network security perspective in order to protect both information and personal safety. She also suggests finding a security partner who's licensed in your state, so you stay in compliance with the process and are able to ensure you're getting the best review you can find.